Today I saw this here, which brought back to mind something that happened to myself here in New Zealand some time ago. An example of how the expectation of security and authentication is geared only towards consumers having to identify themselves, while large organisations, such as banks, benefit from an implicit trust. This, of course, is a very dangerous mindset to have.

This is what happened: My phone rings, I pick up and the following exchange develops (it's been a while, but I try to recall the words the best I can):

Them: "Hi, this is suchandsuch from [insert name of my bank]. I need to talk to you about your account. To verify your identity, could you please state your name and phone-banking password?"

Me: Uh... who is this?

Them: It's suchandsuch from [insert name of my bank] I need to talk to you about your account, and just need to confirm your identity.

Me: Yes, you said that already. But how do I know that you are really you and from [insert name of my bank]?

Them: Uh...

Me: Yeah, you know? I mean, anyone could just call me and say they are you, right? Nothing personal, really, but could you please prove your identity to me, before I go ahead and tell you my name and password and all that sensitive information?

Them: Well... I don't know how...

Me: Yes, you see? We have a problem here. I don't know who you are, and therefore I can't just go and tell you this information.

Them: Uh...

Me: You know, you should have some sort of password that only you - the bank - and I know, and which therefore you can tell me when you talk on the phone, so that I know for sure that it is really you.

Them: I guess ... yes... uh.

Me: So, what do we do about this now?

Them: Hm. Maybe you could call back on one of our official customer support phone numbers, and ask for me?

Me: Yes, I think that's what I will have to do. Thank you...

Of course, by the time I got around to call the official customer support number of my bank, I was told that the lady I spoke to was now on another call, and so I had to explain that someone wanted to talk to me about something but that I didn't know about what, etc., etc. Annoying and time consuming.

So, what do we see here? The burden of proof during the phone banking exchange goes one way only. You - as the consumer - have to produce a certificate of sorts, some password and other information that is considered to be a reliable indicator of your identity. The other side though? Nothing. Even if they are the ones contacting you!

Since this is commonplace, wide spread and widely accepted without most people giving it a second thought, this is a perfect environment for phishing attacks. We are slowly waking up to this threat online, and take a closer look when browsers pop up warnings about invalid SSL certificates, or if something else looks amiss. There are even some sites now, which try to identify themselves to you by means of a token they display to you, and which only you and the legitimate site know (a picture of your pet, for example, or some such thing).

But do we have this for phone banking? No, I don't know about a system or institution that uses anything to that effect. Also, if they really would just blurt out my nicely pre-established password on the phone, what happens when they dialed the wrong number, or someone picked up the phone who shouldn't have heard that password? They can then go and impersonate the bank to me, which is not the desired outcome either.

Maybe the best is just to leave a message, or call me with instructions to call back on one of the official support lines. These instructions should contain a unique case number, which I can specify when I call back (after proving my identity in the usual manner). And this case number should then bring up all the necessary information to whatever help-desk person I am talking to, so that I don't have to explain what's going on or ask for some person by name, who may or may not be available at that time.

I don't see anything being done in that respect, though. Public awareness that this is a big security hole seems to be close to non-existent. The slight inconvenience of this approach would probably be a turn-off for many people. So, for the time being, we just have to refuse to talk to banks and other institutions if they cannot identify themselves, especially if they start the conversations by asking us to show them all the goodies.

I always ask them a couple of security questions like year I was born, some digits of one of my banks cards etc. They usually think that's cool that I put this back on them, and they do comply (unless it's Amex, they are a bit more, yea ...)

Comment
by Mister smooth, on 13-Jun-2008 09:08

Another area that is open to exploitation is the banks habits of allowing PIN mumbers to be changed over the phone. All it takes is knowledge of who the account holders mothers maiden name was, the account holders birthdate and their bank account number, all readily phisable information that can be found on the net.

Author's note
by foobar, on 13-Jun-2008 09:24

@coffeebaron: And do they tell you your year of birth before or after they have verified your identity?

If it's after then you already gave answers to the security questions before you knew it was really them. If it was before then they told someone who is potentially not you your year of birth.

In both cases we have a problem...

Comment
by cisconz, on 13-Jun-2008 09:57

When I was at Alarm NZ we had Customer Pins and Station Pins,

The Station Pin we had to quote to the client.The Customer Pin they had to quote to us.

Comment
by AJ, on 13-Jun-2008 10:17

I have been through exactly this with a utility company in Victoria, Australia.

I had requested power connection to my house -- and got a phone call back a few days later where the first thing they wanted to do was verify my identity. The phone call went very similarly to yours.

Them: Hi, it's from , am I talking to Mr. AJ?Me: Yes you are.Them: I just need to ask you some questions to verify your identity. Can I have your drivers licence number?Me: No.Them: I need to verify your identity.Me: You called me on my cellphone number provided on the application form.Them: I need to verify your identity... can I have your address please?Me: No.

Rinse, repeat. When I tried to explain to them why I wasn't going to authenticate myself to them until they authenticated themselves to me, the guy got very rude and eventually hung up on me.

My power got turned on.

I wrote a complaint letter later on, addressing it to the head of customer service, the CEO, and also to their internal security director (by title, not by name). Ended up getting a "we're sorry" letter and the first 3 months of my power bill waived.

Author's note
by foobar, on 13-Jun-2008 10:25

@cisconz: Yes, but who quotes first? Whoever does will be giving away some information to an unverified other party. I really think that the best way would be for the company to simply ask the consumer to call back on one of the official phone lines.

Comment
by sbiddle, on 13-Jun-2008 13:10

An alarm monitoring company is slightly different to a bank foobar - you want a security company to contact you and obviously being sure that they are speaking to a correct person (rather than a burgler) obviously is important.

A person could also be in a duress situation as well.

Comment
by paradoxsm, on 13-Jun-2008 15:10

As far as I'm aware it's not normal practice for them to ask for such things as "internet banking passwords! sounds like a scam to me. Many banks have on their hold mesages "the bank will NEVER ask for pin's or passwords" This sounds like a scam.

They may ask you to confirm your address and DOB but my advice is to simply ask foir their employee number and then ring the bank back though a known official number (not call back a number they have given you!)

Author's note
by foobar, on 13-Jun-2008 15:18

@paradoxsm: Actually, I wrote that they asked for the 'phone banking password', not the Internet password. And, yes, you can naturally not rely on a phone number that they give you then over the phone. I called back the customer support number that I had used and known before.

Comment
by robin, on 13-Jun-2008 15:22

NZ IRD routinely call people and ask for sensitive information. I spoke to their senior management about why this isn't a good idea and they didn't really understand it or, ultimately, give a toss. That was months ago and they still haven't responded to me raising this issue.

Comment
by mobygeek, on 14-Jun-2008 10:51

The original suggestion on the post is great. And I think some sort of ID for the rep calling you is good, too. And of course, because I am learning from you all, I would be suspicious and ring back on the official number that I already have. The last time security rang me it was to tell me the alarm had been activated in such and such position (room). I was on the motorway and had to get one of the kids to check it for me. Then when I rang back on their 0800 number, I had to give my pin code. Wait a minute, what if it was them giving me the 0800 number... Doh!

foobar's profile

New Zealand

Who I am: Software developer and consultant.

What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.

What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.

This blog is hosted by Geekzone. You can have a Geekzone Blog, free for non-commercial use, when you participate!
Report this post. Contents are property and copyright of the author, or licensed. Geekzone®